‘Highly critical’ bug exposes unpatched Drupal sites to attacks

Worse, attackers have already been spotted targeting the flaw to deliver cryptocurrency miners and other payloads

Days after the team behind Drupal urged website admins to apply an update patching a highly critical vulnerability in the content management system (CMS) platform, threat actors were spotted exploiting the loophole in the wild.

The remote code execution (RCE) vulnerability in the Drupal core was assigned a security risk score of 23/25 by the organization behind the platform. The flaw, tracked as CVE-2019-6340, stems from the fact that “some field types do not properly sanitize data from non-form sources”, which may enable attackers to execute arbitrary PHP code on vulnerable sites, reads Drupal’s security alert.

As a result, the team urged Drupal 8.6.x users to update to version 8.6.10 and those with sites running 8.5.x to update to 8.5.11. Older versions of Drupal 8 won’t receive an update, whereas no core update is required for Drupal 7. That said, sites running Drupal 7 may still be vulnerable due to the bug affecting several contributed modules, so admins were urged to check for patches to those modules.

Drupal gave a heads-up of the fix on February 19, i.e. a day before releasing the update itself. Along with the patch came proposed mitigations for Drupal installations where the patch can’t be applied immediately, including a recommendation to disable all web services modules.

Come the next day and a proof-of-concept (PoC) exploit was published online and, as might have been expected, attacks weren’t long in coming. On Monday, Imperva said that it alone had detected dozens of attempts to leverage the flaw and deliver various payloads. These included a JavaScript-based cryptocurrency miner called CoinIMP that, once injected into a vulnerable site, would hijack visitors’ machines to mine for virtual currency such as Monero. Additionally, there have also been attempts to leverage the exploit to plant a shell enabling attackers to upload arbitrary files onto unpatched Drupal sites.

The attacks came from various parts of the world and looked to hit various targets, including those in government and the financial services industry. In addition, Imperva noted that the proposed mitigations actually do not foil the exploitation.